The vulnerability requires that an attacker have valid logon credentials or, to put it in a more concrete way, that a logged-on user run the attack code. The attack code creates a special registry key. When the scanner encounters this key the privileges of the attack program are elevated to those of the LocalSystem user.

LocalSystem is a predefined local account used by the service control manager. It acts for the computer on the network and has substantial privileges.

The advisory is unclear as to when the update which fixes the vulnerability was issued, but it does say that users normally configure all affected products to update themselves automatically, and that this typically will install the update within 48 hours of release. So it's a fair bet that the update was released about 48 hours ago.

The affected products are:

Windows Live OneCare

Microsoft Security Essentials

Microsoft Windows Defender

Microsoft Forefront Client Security

Microsoft Forefront Endpoint Protection 2010

Microsoft Malicious Software Removal Tool

There are a number of reasons not to be especially worried about this. Microsoft says that the vulnerability was privately reported and that they have no evidence that it was being exploited before it was fixed. The fixes apply automatically, so if you should be protected by now unless you shut off updates to your anti-virus product, which everyone knows is a bad idea. Finally, the attack requires that the key be created in the context of a logged-on user. This isn't crazy difficult, but it's harder that anonymously and remotely attacking a user.